The PWIP driver allows OpenVMS systems that are running both the
HP PATHWORKS/Advanced Server and the TCP/IP Services software to
communicate with personal computers running PATHWORKS client software.
It also enables the DECnet-over-TCP/IP feature, which is included with
the DECnet-Plus for OpenVMS Version 6.0 and later software. For more
information about DECnet over TCP/IP, see the DECnet-Plus for OpenVMS
documentation.

You will need to set up accounts for local users, coordinate the
establishment of corresponding accounts on remote systems, and create
accounts for remote users who will be accessing server components on
the local host.

When creating accounts for remote users, you can create one account for
all remote users, an account for groups of remote users, or accounts
for individual users. The strategy you use depends on your
organization, system resources, and security needs.

Certain product components (for example, LPD, RSH, RLOGIN, and NFS) act
as servers for remote clients. You control access to your system and to
these services by giving remote users proxy identities. A proxy
identity maps a user account on one host to an account on another host.
The information you provide with each entry, along with the privileges
you set for the account, lets you specifically grant or deny access to
your system.

The configuration procedure TCPIP$CONFIG creates a proxy database file
called TCPIP$PROXY. You add proxies to this database with the ADD PROXY
command. The TCP/IP Services product allows the following two types of
proxies:

Communication proxy
A communication proxy provides an identity for remote users of RSH,
RLOGIN, RMT/RCD, and LPD. For each host, be sure to define the host
name and any aliases. Proxy entries are case sensitive. Be sure to use
the appropriate case when adding entries for remote users. Enter the
ADD PROXY command as follows:

TCPIP> ADD PROXY user /HOST=host /REMOTE_USER=user

You can use wildcards when adding proxy entries for users on remote
systems. For example, the following command provides the identity STAFF
to any user on the remote host STAR:

TCPIP> ADD PROXY STAFF /HOST=STAR /REMOTE_USER=*

NFS proxy
NFS proxies provide identities for users of NFS client, NFS server,
and PC-NFS. In addition to host and user information, NFS proxies
provide UNIX identities with UID/GID pairs. NFS proxies can specify
access to the NFS client or the NFS server, or both. For example,
the following command provides the OpenVMS identity CHESTER for a local
NFS client user with the UID/GID pair 23/34.

TCPIP> ADD PROXY CHESTER /NFS=OUTGOING /UID=23 /GID=34 /HOST="orbit"

This user can access remote files from the NFS server
orbit
.

See the HP TCP/IP Services for OpenVMS Management Command Reference manual for a complete description of the ADD PROXY
command. For a more complete discussion about UNIX style identities and
how the NFS server and client use the proxy database, see Chapter 22.

If your host is part of an OpenVMS Cluster, you can use a cluster alias
to represent the entire cluster or selected host members. In this case,
the network sees the cluster as a single system with one name.
Alternatively, you can configure clustering using a DNS alias, as
described in Appendix D.

Incoming requests are switched among the cluster hosts at the end of
each cluster time interval (specified with the SET COMMUNICATION
command).

Note

The cluster name is not switched from a host if there are any active
TCP connections to the cluster interface on that host.

A remote host can use the cluster alias to address the cluster as a
single host or the host name of the cluster member to address a cluster
member individually.

All of the TCP/IP services support automatic failover and can be run on
multiple nodes in an OpenVMS Cluster. For example, if more than one
host in the cluster is running the NFS server, the cluster can appear
to the NFS client as a single host. For more information about
configuring a specific service for cluster failover, refer to the
chapter in this manual that discusses the particular service.

The auxiliary server is the TCP/IP Services implementation of the UNIX
internet daemon (
inetd
). In addition to standard
inetd
functions, the auxiliary server provides access control and event
logging.

The auxiliary server listens continuously
for incoming requests and acts as a master server for programs
specified in its configuration file. The auxiliary server reduces the
load on the system by invoking services only as they are needed.

The auxiliary server listens for connections on the internet addresses
of the services that its configuration file (TCPIP$SERVICES.DAT)
specifies. When a connection is found, it invokes the server daemon for
the service requested. Once a server is finished, the auxiliary server
continues to listen on the socket.

When it receives a request, the auxiliary server dynamically creates a
network process, obtaining user account information from one or all of
the following sources:

TCP/IP Services proxy account

Services database

Remote client

Local OpenVMS user authorization file (UAF)

In addition, users requesting services at the client can include their
user account information as part of the command line.

Once a process is created, the auxiliary server starts the requested
service. All services except RLOGIN and TELNET must have access to
their default device and directories and to the command procedures
within them.

The postinstallation configuration procedure, TCPIP$CONFIG, creates an
entry in the services database (TCPIP$SERVICE.DAT) for each service you
configure. If you need to modify your initial configuration, run
TCPIP$CONFIG or use the SET SERVICE command.

The configuration file TCPIP$SERVICE.DAT includes information about the
service name, the socket and protocol type associated with the service,
the user name under which the service should run, and any special
options for the service program.

Before you activate a service manually, configure the auxiliary server
as follows:

Use the OpenVMS Authorize utility to create a restricted user
account for the process. Use the following qualifiers when creating the
account:

/NOINTERACTIVE

/NOBATCH

/NOREMOTE

/FLAGS=(RESTRICTED,NODISUSER,NOCAPTIVE)

For more information about creating restricted accounts, see the
OpenVMS system security documentation.

Provide user account information that can be used when the network
process is created. Plan your requirements carefully before setting
privileges, quotas, and priorities to user accounts.

Provide the network process name. The auxiliary server builds
the network process name from the character string in the services
database. Enter this string with the SET SERVICE command:

TCPIP> SET SERVICE service /PROCESS_NAME=process

Note

For TELNET and RLOGIN, the process name is set by either the system or
users.

Set the maximum number of server processes that can run
simultaneously. This number should not exceed the maximum number of
sockets allowed on the system. To set the maximum number of processes
that can connect to a service at the same time, enter the following
TCP/IP management command:

TCPIP> SET SERVICE service-name /LIMIT=n

In this command, service-name is the name of the service
to which the connections will be limited, and n is the number
of connections that will be accepted by the service at one time. To
activate the change, disable the service using the DISABLE SERVICE
command, and then enable it using the ENABLE SERVICE command.

Make sure that the protections in the systemwide SYLOGIN.COM file
are set appropriately. If they are not, enter the following DCL command:

$ SET PROTECTION=(W:RE) SYS$MANAGER:SYLOGIN.COM

To ensure that the services database has an entry for each service
offered, enter the SHOW SERVICE command.

The services you configured are enabled during the TCP/IP Services startup
procedure. Afterwards, to initialize (enable) a service, enter the
following command:

TCPIP> ENABLE SERVICE

The ENABLE SERVICE command immediately changes the running system. The
SET CONFIGURATION ENABLE SERVICE command causes the services to be
enabled the next time TCP/IP Services starts up.

To specify the type of socket, include the /PROTOCOL qualifier on the
SET SERVICE command line. For example, to specify stream sockets, enter
/PROTOCOL=TCP. To specify datagram sockets, enter /PROTOCOL=UDP.

The auxiliary server can set socket options for a requested service
either before or during data communications. Some available options are:

KEEPALIVE (for TCP communications)

BROADCAST (for UDP communications)

To set the socket options, include the /SOCKET_OPTIONS qualifier on the
SET SERVICE command.

Event logging can help you manage the software. By default,
user-defined services do not log events, but you can enable event
logging for all or selected configured services. You can configure the
product to log events to the operator's console, a log file, or both.
To set up event logging, enter the following command:

TCPIP> SET SERVICE service-name /LOG_OPTIONS=ALL

For a list of all the logging options, see the SET SERVICE command
description in the HP TCP/IP Services for OpenVMS Management Command Reference manual.

OpenVMS systems running TCP/IP Services communicate with other internet
hosts over a variety of physical media. Because TCP/IP is independent
of the underlying physical network, IP addresses are implemented in the
network software, not the network hardware. (See the HP TCP/IP Services for OpenVMS
Software Product Description for a complete list of supported
media.)

A network controller is the hardware connection
between a computer system and a physical network. Controllers perform
the packet channeling to and from the physical medium of your network,
usually a cable.

The network interface is a logical network controller
--- a software component that communicates with your network software
and the network controller.

For each interface, you can enable or disable the interface, set the
subnet mask, and assign IP and broadcast addresses.

TCP/IP Services automatically recognizes network controllers at startup.
If you need to change the configuration (remove, modify, or add new
network controllers to your system) after installing and configuring
the product, follow the installation and configuration instructions
that come with your hardware; then run TCPIP$CONFIG again. The
TCP/IP Services software recognizes the new controller immediately, and
creates new interfaces the next time the software starts up.

Note

Hardware installation and configuration instructions are specific for
the various network controllers. Be sure to read the instructions
provided with your new hardware before installing.

The TCP/IP Services product supports one local software interface for
loopbacks and one or more physical network interfaces for each physical
network controller.

The configuration procedure initially configures your network
interfaces. Use the following commands if you need to redefine an
interface or configure serial lines. See Chapter 3 for more
information about configuring serial lines.

SET INTERFACE

SET NOINTERFACE

SET CONFIGURATION INTERFACE

SET CONFIGURATION NOINTERFACE

To display information, use the SHOW INTERFACE command; to disable an
interface, use the SET NOINTERFACE command.

Note

If you are redefining an existing interface, enter the SET NOINTERFACE
command before you enter the SET INTERFACE command.

If the system has multiple interfaces, you can configure failSAFE IP to
provide automatic failover from one interface to the next. This is
useful if an interface goes offline or fails. For more information, see
Chapter 5.